UnixTime

Research Note

A.6 People Controls Implementation Guide

1. Identify people categories in ISMS scope: employees, contractors, temporary staff, consultants, and third-party users. 2. Map role risk using access level, information classi...

On this page

Implementer lens

Use this page when designing people controls, assigning owners, creating records, and preparing implementation evidence.

Implementation objectives

Control Practical objective Main owner Core records
A.6.1 Screening Verify personnel suitability before trust or sensitive access is granted HR / recruitment / hiring manager Personnel Screening Register, Background Verification Checklist
A.6.2 Terms and Conditions of Employment Make security responsibilities explicit before work or access begins HR / legal / procurement Security Terms and Conditions Checklist, Confidentiality Agreement Register, Personnel Security Responsibility Acknowledgement
A.6.3 Information Security Awareness Education and Training Make personnel competent and aware before they handle information, systems, or security responsibilities HR / security / managers / training owner Security Awareness and Training Plan, Role-Based Security Training Matrix, Security Training Record
A.6.4 Disciplinary Process Formalize fair and evidence-based response to security policy violations HR / legal / security / managers Disciplinary Process Checklist, Policy Violation and Disciplinary Action Register
A.6.5 Responsibilities After Termination or Change of Employment Remove old access/assets and communicate continuing duties for leavers and movers HR / IT / facilities / managers Leaver and Role Change Security Checklist, Post-Employment Security Responsibilities Register
A.6.6 Confidentiality or Non-Disclosure Agreements Identify, sign, review, and enforce confidentiality/NDA requirements before information access Legal / HR / procurement / information owners Confidentiality Agreement Register, Confidentiality Agreement Review Checklist
A.6.7 Remote Working Authorize and control remote work by user, activity, location, data, equipment, and control set HR / IT / security / managers Remote Working Authorization Register, Remote Working Security Checklist, Remote Working Risk Assessment
A.6.8 Information Security Event Reporting Provide simple, timely reporting channels for observed or suspected security events Security / service desk / managers Information Security Event Report Form, Information Security Event Reporting Channel Register

Implementation workflow

  1. Identify people categories in ISMS scope: employees, contractors, temporary staff, consultants, and third-party users.
  2. Map role risk using access level, information classification, business criticality, and legal obligations.
  3. Define screening and contractual requirements proportionate to role risk.
  4. Embed requirements into onboarding, contractor onboarding, and access provisioning workflows.
  5. Define baseline awareness and supplementary training for specialist roles.
  6. Define disciplinary triggers and evidence thresholds for security policy violations.
  7. Define leaver, mover, access removal, asset return, and continuing duty workflows.
  8. Identify confidentiality/NDA needs before confidential information is shared.
  9. Authorize remote working only after required physical, endpoint, connection, access, and data controls are defined.
  10. Provide reporting mechanisms and training for observed or suspected information security events.
  11. Protect personnel, screening, training, disciplinary, offboarding, remote working, and event records as personal data where applicable.
  12. Trigger updated checks, acknowledgements, training, agreements, access changes, or reporting procedures when role, access, policy, procedure, location, or threat context changes.
  13. Link evidence to the Statement of Applicability and Risk Assessment.

Implementation decisions

Decision Why it matters
Which people categories are in ISMS scope? Prevents contractors and third-party users from falling outside controls
Which roles require stronger screening? Keeps screening proportional and lawful
What must be completed before access? Prevents late controls after trust is already granted
Who owns personnel security evidence? A.6 evidence often lives in HR, legal, procurement, and managers’ records
How long are records retained? Avoids privacy and records-protection failures
Which roles need supplementary training? Prevents annual generic awareness from being mistaken for competence
What evidence is enough before disciplinary action? Prevents unfair or inconsistent response to security violations
How are movers handled? Prevents old access and segregation-of-duties conflicts
Which confidentiality agreement applies? Prevents generic NDAs from missing real information-protection needs
Which remote work contexts are allowed? Prevents VPN access from being mistaken for controlled remote work
What should personnel report? Prevents under-reporting and false confidence from “no events”
  • Iso27001
  • ISO27002
  • Implementer guide
  • People controls

Note Metadata

Aliases: A.6 Implementation Guide

Source: 05 Implementer Guide/A.6 People Controls Implementation Guide.md